Massive hack: Info of 1.6 million who sought unemployment

It involved third-party software used by the state auditor’s office to transmit files.

  • By Wire Service
  • Monday, February 1, 2021 6:09pm
  • Northwest
Washington state Auditor Pat McCarthy speaks during an online news conference about a massive data breach which exposed the personal information of 1.6 million state residents. (TVW)

Washington state Auditor Pat McCarthy speaks during an online news conference about a massive data breach which exposed the personal information of 1.6 million state residents. (TVW)

Associated Press and Herald staff

A Washington agency examining how the state fell victim to massive unemployment fraud last year said Monday that files on 1.6 million claims that it obtained for its investigation have been exposed by a data breach — meaning people who already lost work due to the pandemic might have to add identity theft to their difficulties.

The breach involved a third-party software vendor, Accellion, which the state Auditor’s Office uses to transmit files. The auditor has been looking into how Washington’s Employment Security Department lost hundreds of millions of dollars to fraudsters, including a Nigerian crime ring, who rushed to cash in on sweetened pandemic-related benefits by filing fake unemployment claims in the names of real state residents.

“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic,” Auditor Pat McCarthy said in a news release. “I am sorry to share this news and add to their burdens.”

During a news conference later in the day, she called it “ironic” that files the agency obtained from the Employment Security Department to investigate the fraud would be subject to a breach, possibly opening victims to more fraud.

Those potentially affected include people who filed for unemployment benefits between Jan. 1 and Dec. 10, 2020. That includes many state workers as well as people who had fake unemployment claims submitted on their behalf.

It’s not clear how many people are affected because some would have filed multiple unemployment claims, but McCarthy said she believes it to be at least 1 million people — close to 1 in 7 Washington residents.

The data includes names, Social Security numbers, driver’s license numbers, bank information and place of employment. The Auditor’s Office says it is working with state cybersecurity officials, law enforcement and others to try to mitigate the damage.

McCarthy said state and federal law enforcement authorities are investigating. The state Attorney General’s Office is engaged too, she said.

Also potentially affected was information of both employees and around 100 clients of the Department of Children, Youth and Families. About 100 local governments and 25 other state agencies had information exposed in the breach, as well.

The Department of Social and Health Services, for example, reported eight information files involved. Of those, seven contained no client information, said Adolfo Capestany, senior director in the DSHS Office of Communications. One file contained personal information as part of an assessment of one client, he said.

And the city of Mukilteo learned it may be a victim, too.

Mayor Jennifer Gregerson said the state informed city officials that a file containing various documents related to a recently completed audit was among those potentially exposed. As a precaution, the city’s insurer was notified, she said.

When city staff did more digging, they discovered a second document may be involved, Gregerson said. It contained information from a 2019 review of Mukilteo’s IT security procedures.

“Based on what I’ve read and understand of the files involved, I’m not concerned about our files that appear to have been part of this,” she said. “There’s been no personal identifying info involved that we know of.”

In a statement Monday, Palo Alto, California-based Accellion called the attack “highly sophisticated” and said it targeted the company’s legacy secure file-transmitting software, a 20-year-old product called FTA. The Auditor’s Office said it had nearly completed transitioning from that product to the company’s new one at the end of the year when the breach occurred; since Dec. 31, the auditor’s office has been on the new system.

Other Accellion customers were also affected, including Australia’s securities regulator and New Zealand’s central bank.

McCarthy said the state learned of the attack Jan. 12 after Accellion made a general announcement regarding a security breach, but Accellion said it notified customers Dec. 23. It wasn’t until last week that the Auditor’s Office learned what files might have been accessed, McCarthy said.

The Auditor’s Office said it has used Accellion for the past 13 years, on a contract worth about $17,000 annually.

“We paid for, we expected and we deserve to have a secure system,” McCarthy said. “We had no indication, no inclination that this product was not secure.”

McCarthy said the agency is “working as fast as we can” to identify people who may have been affected.

The latest information on the breach, and resources for those affected, can be found on the agency web site at www.sao.wa.gov/breach2021.

Herald writer Jerry Cornfield contributed.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Northwest

Alaska Airlines aircraft sit in the airline's hangar at Seattle-Tacoma International Airport Wednesday, Jan. 10, 2024, in SeaTac, Wash. Boeing has acknowledged in a letter to Congress that it cannot find records for work done on a door panel that blew out on an Alaska Airlines flight over Oregon two months ago. Ziad Ojakli, Boeing executive vice president and chief government lobbyist, wrote to Sen. Maria Cantwell on Friday, March 8 saying, “We have looked extensively and have not found any such documentation.” (AP Photo/Lindsey Wasson)
FBI tells passengers on 737 flight they might be crime victims

Passengers received letters this week from a victim specialist from the federal agency’s Seattle office.

Skylar Meade (left) and Nicholas Umphenour.
Idaho prison gang member and accomplice caught after ambush

Pair may have killed 2 while on the run, police say. Three police officers were hospitalized with gunshot wounds after the attack at a Boise hospital.

Barbara Peraza-Garcia holds her 2-year-old daughter, Frailys, while her partner Franklin Peraza sits on their bed in their 'micro apartment' in Seattle on Monday, March 11, 2024. (AP Photo/Manuel Valdes)
Micro-apartments are back after nearly a century, as need for affordable housing soars

Boarding houses that rented single rooms to low-income, blue-collar or temporary workers were prevalent across the U.S. in the early 1900s.

Teen blamed for crash that kills woman, 3 children in Renton

Four people were hospitalized, including three with life-threatening injuries. The teenage driver said to be at fault is under guard at a hospital.

Snow is visible along the top of Mount Pilchuck from bank of the Snohomish River on Wednesday, May 10, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Washington issues statewide drought declaration, including Snohomish County

Drought is declared when there is less than 75% of normal water supply and “there is the risk of undue hardship.”

Dave Calhoun, center, on Capitol Hill in Washington, DC, on Jan. 24. (Samuel Corum / Bloomberg)
Boeing fired lobbying firm that helped it navigate 737 Max crashes

Amid congressional hearings on Boeing’s “broken safety culture,” the company has severed ties with one of D.C.’s most powerful firms.

Rosario Resort and Spa on Orcas Island (Photo provided by Empower Investing)
Orcas Island’s storied Rosario Resort finds a local owner

Founded by an Orcas Island resident, Empower Investing plans” dramatic renovations” to restore the historic resort.

People fill up various water jug and containers at the artesian well on 164th Street on Monday, April 2, 2018 in Lynnwood, Wa. (Andy Bronson / The Herald)
Washington will move to tougher limits on ‘forever chemicals’ in water

The federal EPA finalized the rules Wednesday. The state established a program targeting the hazardous chemicals in drinking water in 2021.

Everett
State: Contractor got workers off Craigslist to remove asbestos in Everett

Great North West Painting is appealing the violations and $134,500 fine levied by the state Department of Labor Industries.

Riley Wong, 7, shows his pen pal, Smudge, the picture he drew for her in addition to his letter at Pasado's Safe Haven on Friday, Feb. 19, 2021 in Monroe, Wa. (Olivia Vanni / The Herald)
Snohomish County organization rescues neglected llamas in Yakima County

Pasado’s Safe Haven planned to provide ongoing medical care and rehabilitation to four llamas in its care at its sanctuary.

Whidbey cop accused of rape quits job after internal inquiry

The report was unsparing in its allegations against John Nieder, who is set to go to trial May 6 in Skagit County Superior Court on two counts of rape in the second degree.

LA man was child rape suspect who faked his death

Coroner’s probe reveals the Los Angeles maintenance man was a Bremerton rape suspect believed to have jumped off the Tacoma Narrows Bridge.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.